Threat Activity Detected

Description

Alerts when any activity matching threat intelligence is detected.

   GDPR Relevance

Problem:

Threat activity can indicate a high-priority risk. As an example, compromised hosts may be attempting to communicate with malicious command and control servers. Threat activity detected can represent a range of potential security issues that may be unpredictable and difficult to know how to handle – in the above example, it may not be clear whether the communication is simply beaconing or sensitive data is being exfiltrated.

Impact:

Early detection of threat activity is critical to effective and timely response. This is a security best practice.

Specific to the GDPR, organizations must collect the full audit trail of data processing activities of involved systems and applications, and document, investigate, and report any data breach. Threat activity indicates a potential breach and therefore high-risk situation for personal data. Detection and awareness of threat activity is critical to respond in a timely manner, within the 72-hr deadline of GDPR, as well as to maintain compliance requirements of GDPR. If detection indicates a condition of high risk and non-compliance, then it needs to be documented, remediated, and potentially investigated and reported. Lacking the ability to detect personal data can impact the organization via a wide array of GDPR articles, including Article 15 (individuals have the right to ask an organization where their data is stored); proving that only authorized individuals have accessed personal data (Article 28), and documenting and reporting unauthorized access to the data privacy authorities; regularly testing, assessing and evaluating effectiveness of implemented technical and organizational security controls (Article 32); and demonstrating compliance within the scope of a privacy audit (Article 58); maintaining a record of processing activities (Article 30); ensuring legitimate access and lawful intended use and processing (Article 6); verifying and proving erasure of data (Article 17); restricting the processing of personal data to a limited set of reasons (Article 18 and Article 21); compliance to right of access requirements including by contractors or sub-processors (Article 15); compliance to subject rights regarding automated decision making processes (Article 22);

If the organization faces a personal data breach, potential impact includes reporting within the 72-hr deadline with full context of what happened within the incident, as well as proving to individuals demanding compensation that the organizations has understood and addressed the risk appropriately and deployed proper countermeasures (Article 82); and Article 33 requires organizations to inform the authorities, including details about the nature of the breach -- the same requirement exists within Article 34, that organizations must identify which individuals are affected.